[00:00.970 --> 00:06.050]  My name is Walter Cuestas and I'm from Peru in South America.
[00:06.170 --> 00:12.550]  I'm going to talk about a vector that is not very commented or used at red teaming exercises.
[00:13.110 --> 00:17.410]  And this is about using applications as the initial compromise.
[00:19.230 --> 00:22.910]  The not so classic Juanma in this case.
[00:23.070 --> 00:29.710]  I want to point out that everything I'm going to explain is what we've learned with the team I belong to.
[00:29.710 --> 00:36.150]  We are working together for several years doing pen testing and red teaming.
[00:36.150 --> 00:38.980]  Actually in some cases for more than 12 years.
[00:39.390 --> 00:43.890]  So you will see some examples of our collective effort.
[00:45.010 --> 00:49.190]  And the question may arise, why two applications?
[00:49.690 --> 00:51.710]  There are several reasons.
[00:52.010 --> 00:58.630]  Because we believe that red teaming is not only about getting domain admin or root.
[00:58.630 --> 01:03.070]  Because not always having that power means you can access data.
[01:03.070 --> 01:07.330]  Not every application is integrated with Active Directory for example.
[01:08.030 --> 01:12.830]  After some interaction with people on shares of threat management and hunting.
[01:13.170 --> 01:16.390]  They are so concentrated on AD and Windows 7.
[01:17.070 --> 01:22.950]  Organizations are not integrating application security yet in their effort to enhance security.
[01:23.590 --> 01:28.470]  Also defenders are always pushed to be warned about social engineering attacks.
[01:28.470 --> 01:31.910]  Or how attackers are bypassing endpoint security.
[01:31.950 --> 01:38.290]  Or the last password spray technique to common services such as email.
[01:38.870 --> 01:43.710]  Someone could say that applications today are in the cloud.
[01:44.550 --> 01:50.310]  But we are seeing that few companies are migrating their core to the cloud.
[01:50.330 --> 01:55.850]  They still keep it on-premises and modern applications just need to go down to the core.
[01:55.850 --> 02:05.990]  And finally, because as all of us know, remote access services are delivered through web applications.
[02:07.390 --> 02:13.110]  One more reason, besides this happens in every other aspect of security.
[02:13.170 --> 02:17.650]  Is that applications suffer of the same problems for a long time.
[02:17.730 --> 02:21.030]  As you can see in this image from exploit.db.
[02:21.030 --> 02:26.430]  This is not only true for common applications, but also for embedded ones.
[02:26.470 --> 02:31.190]  We can see a Cisco device suffering from local file inclusion.
[02:31.510 --> 02:37.090]  And a very old kind of vulnerability in the application field.
[02:40.360 --> 02:43.480]  We want to share this small framework.
[02:43.700 --> 02:52.140]  We developed it just to have an order in what we do during regular exercises.
[02:52.140 --> 02:59.300]  I am not going to cover every module, just some high level about information gathering and enumeration.
[02:59.300 --> 03:02.680]  And more on initial compromise, of course.
[03:03.520 --> 03:09.780]  So let's talk about recognition and especially about OSINT.
[03:10.400 --> 03:17.220]  As you know there are tons of tips, sources and how-tos about OSINT.
[03:17.220 --> 03:20.600]  We want to focus in some aspects.
[03:20.600 --> 03:23.580]  Searching DNS information is crucial.
[03:24.000 --> 03:29.480]  And it is important to know that we don't have to select just one tool for that task.
[03:29.600 --> 03:35.740]  Indeed, most of the time we have to aggregate the results from several of them.
[03:37.320 --> 03:48.900]  Search engines, such as Shodan, Census, Sunmine for example, are most useful here.
[03:48.900 --> 03:54.500]  Because we don't have to touch our target at first step.
[03:54.500 --> 03:58.600]  And these engines keep current data most of the time.
[03:59.120 --> 04:04.460]  Also, today a good search on surface internet is better than going deep.
[04:04.460 --> 04:14.420]  And special attention must be on source code leaked in the most innocent and honest ways by developers.
[04:14.440 --> 04:19.400]  And documents that you have to read very long documents.
[04:20.300 --> 04:25.680]  So, we have a lot of tools and a lot of data.
[04:26.820 --> 04:29.540]  And let's talk about real world.
[04:29.540 --> 04:32.260]  There is no magic neither perfect tool.
[04:32.260 --> 04:38.380]  And there is no way to learn about our target organization without doing manual investigation.
[04:38.380 --> 04:44.360]  Spending hours reading information and taking notes that we will share with the team.
[04:44.960 --> 04:49.080]  Another fun moment is when tool is not working as expected.
[04:49.180 --> 04:51.300]  Or we need more from it.
[04:51.300 --> 04:57.700]  That's when our developer skills are important and we start to feel happy.
[05:01.060 --> 05:12.260]  After a bunch of data, you need to give some form of order to this data to do your analysis.
[05:12.260 --> 05:14.480]  And it could be very simple.
[05:14.580 --> 05:17.640]  Just use human readable names for directories and files.
[05:17.640 --> 05:21.440]  I mean, not only for you, for the whole team.
[05:21.880 --> 05:26.480]  And you need to do a simple select to get data including images.
[05:26.680 --> 05:33.040]  There are very good tools, but if you don't have time or just don't want to install them,
[05:33.040 --> 05:35.980]  SQLite is a very good option.
[05:38.040 --> 05:41.020]  Then, what do we reckon?
[05:41.020 --> 05:48.980]  For us, the most important rule is not to underestimate your adversary.
[05:48.980 --> 05:51.320]  Who is your adversary?
[05:51.320 --> 05:53.220]  The blue guys, of course.
[05:53.540 --> 06:03.360]  We believe that not every admin is fool and not every developer makes applications without security in mind.
[06:03.360 --> 06:07.580]  And not every threat hunter is just looking for a DE event.
[06:07.580 --> 06:09.300]  At least I guess so.
[06:09.300 --> 06:16.640]  As we are going after applications, there will be a moment to scam something in a very smooth way.
[06:17.060 --> 06:20.100]  Not now, as blue team is expecting that.
[06:20.780 --> 06:26.740]  Also, we are going to use the same techniques and tools as when testing applications.
[06:26.780 --> 06:34.600]  But we have to forget about OWASP, for example, because this is not a pentest neither a bug bounty.
[06:37.120 --> 06:40.380]  Let's start with initial compromise.
[06:40.380 --> 06:46.560]  And a small note about these cases that came from real world.
[06:46.560 --> 06:53.480]  In one case, we were able to create the same scenario we found in another one not.
[06:53.480 --> 07:01.160]  The main reason is that we don't get the same applications versions of the ones that we got during red team exercises.
[07:01.980 --> 07:06.000]  So, case 1 is here, we call it jumping.
[07:07.120 --> 07:10.280]  Because we are going to jump several times.
[07:10.280 --> 07:14.020]  The scenario is like this.
[07:14.160 --> 07:20.060]  This is a very common scenario where an organization is using cloud for new applications.
[07:20.100 --> 07:23.160]  Hybrid cloud may be the right name.
[07:23.540 --> 07:28.400]  We have the frontend of the application, the cloud, with a database.
[07:28.820 --> 07:33.780]  But it needs data also from the business core applications.
[07:34.080 --> 07:37.120]  And data that are still on-premises.
[07:37.120 --> 07:43.520]  We are looking for the secrets on that core because it's the most valuable information.
[07:43.780 --> 07:51.120]  And as happens today, there are so many digital transformation projects and few security controls.
[07:51.120 --> 07:53.200]  Everything is sales-driven.
[07:56.800 --> 08:03.820]  I know that this seems like a hack the box case, but it's not.
[08:03.820 --> 08:15.300]  Our first security test for digital transformation projects showed us that there is no control over the initiatives coming from different teams in the same organization.
[08:15.480 --> 08:21.050]  So, our recognition found this exposed Jenkins administrative interface.
[08:21.560 --> 08:26.020]  In fact, it's exposed to the internet.
[08:26.100 --> 08:31.120]  With the option to create an account which is not a default.
[08:31.120 --> 08:37.520]  This is not a surprise. This is a very well-known issue.
[08:38.140 --> 08:44.860]  But, what is bad is that by default, locating users can do anything.
[08:45.760 --> 08:56.320]  Having this in mind, let's take a look at the credentials section where we found this case.
[08:56.320 --> 09:06.350]  One for SSH access and the other one to get access to the cloud.
[09:09.580 --> 09:15.770]  One is an Amazon XSK, but this is not enough.
[09:17.700 --> 09:21.820]  We need also the secret XSK.
[09:21.820 --> 09:26.820]  As you can see, it seems this is properly secured.
[09:28.480 --> 09:41.620]  One of the things we learned from doing pentesting on applications is that client-side source code is something we always want to review.
[09:42.320 --> 09:49.920]  Just use developer or inspect mode and you will find not only HTML and common JavaScript.
[09:50.200 --> 09:55.180]  There are still developers that trust on client-side protections.
[09:55.180 --> 10:03.180]  And not exactly related comment for this slide.
[10:03.180 --> 10:07.580]  Today JavaScript is very powerful at client-side.
[10:07.580 --> 10:11.540]  So, there are more reasons to review that code.
[10:12.060 --> 10:17.340]  But, as we can see, this case is encrypted.
[10:18.220 --> 10:26.500]  So, let's move on and check the SSH key to gain remote access.
[10:27.560 --> 10:34.300]  But, once again, this key is also encrypted.
[10:35.500 --> 10:46.580]  Now, Averik, today there are tons of information that we want and like, of course, to read, view and listen.
[10:46.580 --> 10:52.980]  And when talking about writing, there are no magic scanner working for us.
[10:52.980 --> 11:02.080]  But, there are several cases where you won't find any previous information and this is when you get a research moment.
[11:05.300 --> 11:11.360]  Jenkins itself needs a way to decrypt that information in order to use it.
[11:11.940 --> 11:16.560]  And it has an option to run a script that we are going to use.
[11:16.560 --> 11:24.460]  As you can see, Jenkins provides all we need to do our job.
[11:28.010 --> 11:34.070]  A small and simple script will do the magic.
[11:34.790 --> 11:40.230]  And, voila, we got our case decrypted.
[11:45.180 --> 11:55.280]  So, we use them to access the cloud with the same privileges as this project Jenkins have.
[11:55.280 --> 11:59.720]  Will be them for production environment?
[12:00.400 --> 12:03.460]  Well, let's take a look.
[12:03.460 --> 12:14.740]  It seems clear that we are looking for instances as long as these credentials are used in an application project.
[12:14.740 --> 12:19.740]  We found the information of an instance and the corresponding IP address.
[12:20.400 --> 12:22.560]  Let's check it.
[12:23.600 --> 12:28.880]  Well, it's obvious that this is not our target.
[12:28.880 --> 12:35.920]  Maybe we can use it for our first jump, but it's not what we are looking for.
[12:38.520 --> 12:42.720]  Let's try with the other kind of access.
[12:42.880 --> 12:48.560]  I mean, accessing by SSH.
[12:49.980 --> 12:59.440]  And we are to focus this time on searching source code and review this code.
[12:59.440 --> 13:05.600]  So, we start using the SSH key we got.
[13:05.600 --> 13:10.740]  And we got access to the cloud by SSH.
[13:10.740 --> 13:13.740]  And start to search for code.
[13:13.960 --> 13:16.500]  And we found some programs here.
[13:19.080 --> 13:35.780]  The first element to search, we are looking for endpoint information as long as they will show us some new paths, maybe credentials.
[13:37.500 --> 13:40.960]  And we got this config file.
[13:41.840 --> 13:53.860]  As I said, we can see that we got an endpoint and a set of credentials, username and pass.
[13:54.060 --> 14:04.080]  And, of course, the API text means that we have information to access an API.
[14:04.480 --> 14:09.120]  And, of course, it will be a RESTful API.
[14:14.070 --> 14:18.190]  Checking from inside the cloud.
[14:18.790 --> 14:22.970]  We use a cure and we got an answer.
[14:23.150 --> 14:26.510]  So, endpoint exists and could be working.
[14:27.150 --> 14:29.650]  Also, we got a redirection.
[14:30.570 --> 14:34.990]  And take a look that there is a cookie with a JSession ID.
[14:35.070 --> 14:39.550]  It smells to Java, besides the code analyzed was PHP.
[14:39.550 --> 14:45.730]  But we need to be more comfortable with a browser and other tools.
[14:46.230 --> 15:07.490]  So, using this SSH connection as a proxy and configuring our browser, we can see that we are identified with the IP from the instance.
[15:13.810 --> 15:24.670]  Also, when browsing an API URL, we got another application related directly to the previous one and the API.
[15:26.770 --> 15:31.010]  But we have no access to other databases.
[15:31.570 --> 15:35.790]  Only the API is exposed to the cloud instances.
[15:36.290 --> 15:38.830]  Just from the cloud instances.
[15:38.830 --> 15:45.910]  Our real target is on-premises with core applications, the legacy ones.
[15:47.850 --> 15:52.130]  Do you remember the JSession ID cookie?
[15:52.130 --> 16:01.830]  Well, that and the app server listening at 8080 port seems pretty much like Tomcat.
[16:02.830 --> 16:11.950]  It's better to make regular traffic with a browser or cure to do banner grabbing.
[16:12.970 --> 16:19.010]  I mean, we are not going to use our nmap, for example.
[16:19.850 --> 16:31.810]  And checking Tomcat related ports, we found 8009 port open for the Apache JServe protocol.
[16:31.810 --> 16:45.670]  This AGP is a binary protocol mainly used for reverse proxy between front-end web server and back-end application server, such as Apache and Tomcat itself.
[16:46.110 --> 16:50.160]  It's shorter, faster and, of course, vulnerable.
[16:51.480 --> 17:05.440]  Ghostcat was announced this year and this vulnerability allows arbitrary file reading and Java server pages, JSP, processing.
[17:05.880 --> 17:12.380]  It means real-world command execution.
[17:12.580 --> 17:18.820]  And, of course, there is AGP shooter to exploit it.
[17:18.820 --> 17:24.660]  We are going to start using proxy chains as long as this tool is not proxy aware.
[17:24.740 --> 17:29.260]  And since now we will be searching for configuration files mainly.
[17:35.510 --> 17:40.150]  Finding an abloved servlet doesn't mean everything is easy.
[17:40.730 --> 17:43.570]  Let's review that servlet source code.
[17:44.490 --> 17:55.090]  Again, getting the file with AGP shooter, we found the abloved directory.
[17:55.990 --> 18:00.650]  And it has some security control.
[18:00.830 --> 18:07.950]  It accepts only JPJ or PNJ extensions.
[18:12.360 --> 18:17.520]  So, we are going to use a simple web shell to start.
[18:17.700 --> 18:20.600]  We don't want web shell with fireworks.
[18:20.740 --> 18:29.640]  First task on arrival is to change the image name station from JPJ to JSP.
[18:30.240 --> 18:39.780]  And remember that Ghostcat allows for JSP processing, but you don't have to use that extension to ask AGP shooter to do that for you.
[18:42.460 --> 18:47.760]  Upload and execute our special image.
[18:47.920 --> 18:52.020]  Just a cure for the upload.
[18:52.560 --> 18:59.180]  And of course, AGP shooter for execution.
[18:59.480 --> 19:05.120]  This script accepts two parameters, read and eval.
[19:05.120 --> 19:08.010]  Eval is for processing the JSP.
[19:08.010 --> 19:18.330]  And as you can see at the bottom of the last image, the first command to execute is rename the JPJ to JSP.
[19:18.530 --> 19:25.230]  So, we start doing enumeration.
[19:26.170 --> 19:33.150]  For example, we are using an account called Tomcat.
[19:33.150 --> 19:40.110]  It's a limited account, no high-level privileges, but we can do some network enumeration.
[19:40.870 --> 19:44.910]  And we are going to search for configuration files.
[19:45.450 --> 19:52.530]  After that, we realize that we need to use an improved web shell.
[19:52.650 --> 19:56.210]  So, we upload this one.
[19:57.510 --> 20:09.010]  Searching through the configuration files, we found another endpoint and more credentials that are not from the cloud instance, neither the Tomcat server.
[20:09.890 --> 20:13.710]  You could ask MySQL in the core.
[20:13.770 --> 20:18.090]  Well, actually it was Oracle, but MySQL was enough for recreation.
[20:18.850 --> 20:22.790]  We are going to connect to this database server.
[20:22.790 --> 20:27.530]  And hopefully we will find the core secrets.
[20:30.510 --> 20:37.230]  Let's use the options of our improved web shell to connect to the database.
[20:38.910 --> 20:50.110]  And when showing databases, we could see that this is not the precious secret we are looking for.
[20:52.240 --> 21:03.980]  Also, this account doesn't have enough privileges, so we have to try harder.
[21:09.130 --> 21:17.450]  Well, we tried harder and found another set of credentials in another configuration file for another application.
[21:17.810 --> 21:22.150]  Same endpoint, but different credentials.
[21:24.810 --> 21:29.110]  Let's try these credentials.
[21:29.670 --> 21:40.350]  And finally, we got the core secrets with maximum privileges.
[21:40.790 --> 21:46.830]  From here, we can dump data and exfiltrate it.
[21:46.830 --> 21:51.230]  We can modify, add or delete databases.
[21:51.230 --> 21:55.270]  We didn't own the domain, we owned the database.
[21:57.130 --> 21:59.610]  So, here are the secrets.
[22:04.190 --> 22:06.970]  Some questions and tips.
[22:07.550 --> 22:20.270]  I guess that someone is monitoring this kind of activity, maybe those application firewalls that are looking for injections or sophisticated malware, not this kind of normal traffic.
[22:20.270 --> 22:35.290]  When we do red teaming, we start with a couple of red teamers, not extra ones as needed, just to have people with enough skills and experience.
[22:37.330 --> 22:43.710]  Indeed, also during pen testing, reviewing source code is a must.
[22:44.970 --> 22:53.570]  Sometimes, developers and admins follow guides strictly and keep some information that is not mandatory to do so.
[22:54.690 --> 23:05.730]  Maybe this is a new kind of default credentials, but we found cases in sample code from howtos in some application's production environment.
[23:06.730 --> 23:25.190]  Just one note, I was kidding when I said that this is normal traffic, but you understand that this is not a kind of sophisticated traffic that we read all the time in the news.
[23:26.910 --> 23:34.690]  Sometimes, it works better because protection devices are waiting for that sophisticated traffic.
[23:35.430 --> 23:38.190]  So, what's next?
[23:39.450 --> 23:48.590]  At least for us, main objectives are doing a red team exercise, is to test the time to detect and time to mitigate.
[23:48.590 --> 24:00.330]  But let's face it, most organizations just want to have an almost real-world experience with attackers, and real ones are looking for ways to get money from their attacks or some kind of power.
[24:00.330 --> 24:05.830]  So, let's think as them and elaborate ways to exploit the information.
[24:06.790 --> 24:14.450]  To keep everything organized, we have to add this initial compromise with our C2, my favorite one is push, of course.
[24:14.450 --> 24:23.670]  There are command executions in a couple of jams, maybe it could be useful for lateral movement.
[24:30.260 --> 24:37.940]  Let's move on to case 2, dynamic duo.
[24:43.100 --> 24:50.020]  Remote access is required, before COVID-19 it was needed and after this is a must.
[24:50.280 --> 24:54.300]  But how is this kind of service related to applications?
[24:54.440 --> 25:06.780]  Well, as long as these services use protocols like HTTPS, as long as the users and admins use their browser to do their thing,
[25:06.780 --> 25:14.980]  as long as these interfaces are using HTML, JavaScript and running CGI and several scripting languages,
[25:15.600 --> 25:21.180]  as long as they bleed also, I mean, they have common application vulnerabilities also.
[25:22.700 --> 25:26.960]  This is our scenario for this case.
[25:26.960 --> 25:41.380]  This company has two remote access servers, Y, migration, backup, both integrated with Active Directory, a perimeter with some good protection.
[25:42.080 --> 25:50.860]  They can't work together, we are going to see how.
[25:50.860 --> 26:00.900]  By the way, this will be the traditional red teaming, getting domain admin from the beginning.
[26:03.260 --> 26:16.920]  Let's find out what is the origin of these vulnerabilities, or when we realized that these vulnerabilities exist.
[26:16.920 --> 26:25.060]  Last year, these researchers showed several vulnerabilities they discovered on SSL VPN appliances.
[26:25.380 --> 26:28.720]  After that, exploits started to appear.
[26:29.200 --> 26:42.980]  But, as every people that knows how to use a GAN, this is not just point and shoot, you have to know how your GAN works, how your tool works, and take care of your GAN or your tool.
[26:46.260 --> 26:53.460]  In the more traditional service, there are always several exit paths to command execution.
[26:54.220 --> 27:04.300]  So, let's start with one of them, Pulse Connect Secure.
[27:04.300 --> 27:11.420]  One of the vulnerable appliances showed last year was this Pulse Connect Secure.
[27:11.420 --> 27:13.660]  There are several versions affected.
[27:13.660 --> 27:19.100]  Again, we found an administrative interface exposed to internet.
[27:19.120 --> 27:39.080]  We have several credentials to try coming from recognition, but maybe doing some kind of password spray to this device could start the alerts.
[27:39.080 --> 27:56.060]  So, maybe we shouldn't try them, and we are going to do some kind of special recognition in the way that we tested applications.
[27:56.280 --> 28:01.460]  Why don't we try with a proxy like Burp?
[28:02.400 --> 28:11.500]  As in case one, we keep updated, reading, viewing and listening a lot of information. Actually, we like that a lot.
[28:11.500 --> 28:20.300]  So, checking if this device is vulnerable to pre-authentication, arbitrary file reading is as easy as to send a request.
[28:20.420 --> 28:27.600]  We are using Burp just because it is our favorite tool for applications security testing.
[28:27.600 --> 28:32.920]  And as we can see, this appliance is vulnerable.
[28:33.060 --> 28:54.000]  We are reading files like PulseWD with a list of users and several other files, such as the one with a host registered manually in this file.
[28:54.000 --> 28:56.980]  So, this device is vulnerable.
[28:57.220 --> 29:09.480]  And we are going to use a script, which Fox made a bash script to exploit this vulnerability.
[29:09.780 --> 29:19.560]  Also, we want to give a small recognition to all these young people helping others automating the exploitation.
[29:19.560 --> 29:29.560]  That's the reason of that small white message there.
[29:29.820 --> 29:33.720]  This script will download several files.
[29:34.220 --> 29:39.980]  Some are pure plain text and some are data structured in another format.
[29:39.980 --> 29:51.760]  All contain critical information, case, usernames, passwords, IP addresses, operating systems of users and so on.
[29:52.440 --> 30:08.880]  For example, we got local users that are active directory users if the appliance is integrated with that directory service.
[30:08.880 --> 30:18.080]  And also VPN logins that are usernames with passwords all in plain text.
[30:18.180 --> 30:29.340]  Yes, 2020 there are still security appliances storing credentials in just plain or clear text.
[30:29.340 --> 30:44.660]  Also, we got SSH keys, but we are not going to use them because external firewall is doing its job very good.
[30:44.980 --> 30:53.020]  So, we have another group of information.
[30:55.280 --> 30:57.920]  We got clear text credentials.
[30:58.920 --> 31:04.220]  And we got inside Pulse Connect Secure with user level credentials.
[31:04.220 --> 31:07.240]  Just that, just loose user level.
[31:08.060 --> 31:12.020]  That's not too much to do with that.
[31:12.380 --> 31:20.040]  But some usernames have a kind of active directory look and feel.
[31:20.520 --> 31:22.520]  And they weren't on clear text.
[31:22.520 --> 31:27.900]  We got the hashes of the passwords.
[31:27.900 --> 31:31.680]  So, John the Ripper came and did its thing.
[31:32.180 --> 31:33.720]  Cracked hashes.
[31:34.640 --> 31:41.120]  And after that, we got access as user.
[31:41.700 --> 31:47.720]  Also, not too much applications delivered for end users.
[31:48.040 --> 31:50.120]  And as admin.
[31:57.100 --> 32:09.880]  So, doing more checks, there is integration with active directory enabled.
[32:09.880 --> 32:13.940]  As we can see with these authentication servers.
[32:14.640 --> 32:22.280]  And for that integration, of course, you need an account to access the active directory.
[32:22.280 --> 32:27.260]  An administrator level account for active directory.
[32:27.260 --> 32:30.400]  So, we got domain admin.
[32:32.100 --> 32:41.540]  And yes, as you can guess, there is credential reuse in this organization also.
[32:42.520 --> 32:46.580]  But then, this thing doesn't stop here.
[32:46.580 --> 32:53.660]  Because this software is also vulnerable to command execution.
[32:54.860 --> 33:00.640]  So, after doing some enumeration of users.
[33:01.100 --> 33:08.980]  And testing if we can reach the domain controllers of this active directory.
[33:09.660 --> 33:13.660]  We went for command execution.
[33:13.660 --> 33:19.040]  For this, we need credentials. We have those credentials.
[33:19.260 --> 33:22.680]  Because this vulnerability is post-authentication.
[33:22.680 --> 33:26.360]  We can inject commands and execute.
[33:26.360 --> 33:28.480]  There is a public exploit.
[33:29.120 --> 33:32.980]  This is another exploit made in Python.
[33:33.360 --> 33:37.460]  And what it does is take credentials we got.
[33:37.460 --> 33:43.900]  And do the magic to allow us to connect to the appliance by SSH.
[33:44.240 --> 33:50.500]  What it does is download our SSH case to the appliance.
[33:51.040 --> 33:56.080]  But there is a firewall, as I said, that doesn't allow to connect by SSH.
[33:56.080 --> 34:03.260]  So, we have to do small modifications to the script in order to use it.
[34:04.920 --> 34:09.060]  As you can see, just comment some lines.
[34:09.540 --> 34:11.260]  And add parameter manipulation.
[34:11.260 --> 34:17.340]  Plus, we are going to use burp for the output.
[34:18.060 --> 34:20.780]  This script is proxy-aware for debugging purposes.
[34:20.780 --> 34:24.700]  So, we don't have to add anything about that.
[34:24.780 --> 34:30.560]  And now, we are executing commands on the appliance.
[34:31.400 --> 34:35.660]  So, question arises, is this enough?
[34:37.740 --> 34:38.580]  Well...
[34:38.580 --> 34:47.880]  As there is a robin for every badman or vice versa.
[34:48.900 --> 34:51.160]  We got PulseConnect secure.
[34:51.160 --> 34:54.840]  And it has Citrix right by its side.
[34:55.200 --> 34:59.940]  That was perfect for us because having only one foot inside.
[34:59.940 --> 35:02.040]  Is not enough.
[35:05.910 --> 35:08.270]  And... guess what?
[35:08.410 --> 35:10.630]  Credential reuse is everywhere.
[35:10.970 --> 35:16.350]  We got access with same credentials as the ones in the other appliance.
[35:17.150 --> 35:22.450]  Of course, they are Active Directory integrated.
[35:23.070 --> 35:27.350]  And in this case, it has more applications deployed.
[35:27.350 --> 35:31.610]  And we started to check one by one.
[35:33.370 --> 35:41.910]  Special focus in traditional Windows applications delivered using distinct clients.
[35:41.910 --> 35:46.850]  Because there are several ways to escape to Windows Command Shell or PowerShell.
[35:46.850 --> 35:51.490]  So, this application looks as the one we are looking for.
[35:51.810 --> 35:56.950]  As you can see, it loads an instance of Windows.
[35:58.250 --> 36:01.210]  This is the application starting.
[36:01.890 --> 36:07.230]  And this is the application login pop-up.
[36:11.110 --> 36:19.330]  Escaping from Citrix jail has a long history from several years ago until today.
[36:19.330 --> 36:24.390]  At first, it is based on pressing some keys on the keyboard.
[36:24.390 --> 36:30.590]  For example, in this case, pressing CTRL plus ALT plus DELETE does a trick.
[36:31.230 --> 36:39.710]  In other cases, WINDOWS STICKY KEYS, pressing SHIFT five times or ICA KEYS from Citrix.
[36:40.330 --> 36:51.090]  To gain access to CMD or PowerShell, you can use dialogs such as FILE AND OPEN or FILE AND NEW TASK from Task Manager as you will see.
[36:51.090 --> 36:55.350]  There are more on this to bypass file restrictions.
[36:55.350 --> 37:02.340]  There are several documents showing how to do that.
[37:04.170 --> 37:17.420]  So, TASK MANAGER, NEW TASK, CMD EXE and we got CMD in action.
[37:18.900 --> 37:29.770]  From there on, we did some enumeration, classic WINDOWS and AD enumeration.
[37:30.120 --> 37:34.450]  But more important, search for valuable information.
[37:35.500 --> 37:46.380]  To tell the truth, you can see that we found here some files with credentials and IP addresses.
[37:46.380 --> 37:55.800]  But in this case, we just confirmed that this kind of information was accurate and updated.
[37:55.800 --> 38:03.840]  Because we got this information in one repository on GitHub during recognition.
[38:07.750 --> 38:16.730]  After this, we are going to see the light in terms of infrastructure penetration.
[38:17.450 --> 38:21.070]  Because good network segmentation is still a dream.
[38:21.630 --> 38:26.230]  There are yet several exceptions breaking ACLs.
[38:26.230 --> 38:31.030]  And in 2020 is not true that only end-users are good victims.
[38:31.410 --> 38:40.610]  We are going to try to shoot to developers, internal and external ones, IT people and security people.
[38:40.610 --> 38:45.870]  Why? Because they have more power on their machines than end-users.
[38:45.870 --> 38:47.510]  As simple as that.
[38:51.920 --> 39:09.270]  Some tips about this kind of initial compromise.
[39:09.940 --> 39:12.960]  We have two doors opened.
[39:13.960 --> 39:19.440]  In that moment, it was important to warn the customer about that.
[39:20.440 --> 39:23.500]  The customer had to warn the subguides.
[39:23.500 --> 39:28.920]  Also the prevention, correlation and event management solutions had to be warned.
[39:29.120 --> 39:34.300]  It is important to be as smooth as possible.
[39:35.140 --> 39:46.580]  But there are some cases that you cannot wait to end the redteam exercise to warn the customer.
[39:46.580 --> 39:58.880]  Also, as part of these smooth actions, you should avoid to create accounts.
[39:58.880 --> 40:02.780]  At least not god-level ones.
[40:02.780 --> 40:08.760]  It is better to use a simple user account and give power to that account.
[40:08.760 --> 40:16.910]  In some situations it won't be possible, so do that, create an account after several checks.
[40:17.420 --> 40:19.890]  Always keep logs in mind.
[40:21.020 --> 40:28.800]  And of course, delete just entries belonging to your work.
[40:29.240 --> 40:33.840]  Remember to never underestimate to your adversary.
[40:33.840 --> 40:43.100]  Be patient, this is not a game, and this is the reason why redteam exercises has enough time.
[40:43.620 --> 40:45.280]  Have fun, of course.
[40:46.320 --> 40:53.880]  Finally, I want to thank Omar and all the crew at Redteam Village.
[40:54.000 --> 41:01.000]  They do an awesome job all the time, just for giving back to the community.
[41:01.000 --> 41:01.240]  Ciao!
